Police in Ukraine say they’ve arrested six people tied to the CL0P ransomware gang, a group notorious for leaking information from dozens of different companies.
On Wednesday, the National Police of Ukraine released a video that shows investigators raiding homes belonging to the suspects. In total, police conducted 21 searches in the Kyiv region, which also involved seizing millions in cash and confiscating cars.
Ukrainian police didn’t offer details on the arrests. However, they worked with Interpol and law enforcement in the US and South Korea to track down the suspects’ identities.
According to Ukrainian police, the CL0P ransomware gang has caused damages reaching an estimated $500 million. Its members have installed ransomware on computers from US and Korean companies. The attacks work by encrypting the information on the computers, and then demanding victims pay up in Bitcoin to receive a decryption key.
Earlier this year, CL0P also managed to steal data from dozens of groups, including Stanford University Medical School, the University of Maryland, and the University of California. The ransomware gang claimed this was done by compromising a third-party supplier called Accellion.
CL0P then began leaking the stolen information through the group’s website on the dark web while threatening to release more confidential files unless victims paid up. The CL0P’s leak site currently lists 57 alleged victims.
The announcement from the Ukrainian police says law enforcement has shut down the infrastructure for the CL0P ransomware computer code. But despite the arrests, the main CL0P ransomware gang is likely still in operation, according to the cybersecurity firm Intel 471, which suspects the police raid primarily hit CL0P’s money-laundering business.
“We do not believe that any core actors behind CL0P were apprehended, due to the fact that they are probably living in Russia,” Intel 471 told security journalist Brian Krebs. “The overall impact to CL0P is expected to be minor although this law enforcement attention may result in the CL0P brand getting abandoned as we’ve recently seen with other ransomware groups like Darkside and Babuk.”